Using Resource-Based Policies with the EventBridge Schema Registry - Amazon EventBridge

Using Resource-Based Policies with the EventBridge Schema Registry

The EventBridge Schema Registry supports resource-based policies. A resource policy is a policy that is attached to a resource rather than to an IAM identity. For example, in Amazon Simple Storage Service (Amazon S3), a resource policy is attached to an Amazon S3 bucket.

For more information on EventBridge Schemas and resource-based policies, see the following.

Supported APIs for Resource-based Policies

The following APIs can be used with resource-based policies for the EventBridge Schema Registry.

  • DescribeRegistry

  • UpdateRegistry

  • DeleteRegistry

  • ListSchemas

  • SearchSchemas

  • DescribeSchema

  • CreateSchema

  • DeleteSchema

  • UpdateSchema

  • ListSchemaVersions

  • DeleteSchemaVersion

  • DescribeCodeBinding

  • GetCodeBindingSource

  • PutCodeBinding

Example Policy Granting All Supported actions to an AWS Account

For the EventBridge Schema Registry, a resource-based policy is always attached to a registry. To enable access to a schema, you must specify the schema ARN as well as the registry ARN in the policy.

To grant a user access to all available APIs for EventBridge Schemas, use a policy similar to the following, where the "Principal" is the account ID of the account you want to grant access.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Test", "Effect": "Allow", "Action": [ "schemas:*" ], "Principal": { "AWS": [ "109876543210" ] }, "Resource": [ "arn:aws:schemas:us-east-1:012345678901:registry/default", "arn:aws:schemas:us-east-1:012345678901:schema/default*" ] } ] }

Example Policy Granting Read-only Actions to an AWS Account

The following example grants access to an account for only the read-only APIs for EventBridge Schemas.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Test", "Effect": "Allow", "Action": [ "schemas:DescribeRegistry", "schemas:ListSchemas", "schemas:SearchSchemas", "schemas:DescribeSchema", "schemas:ListSchemaVersions", "schemas:DescribeCodeBinding", "schemas:GetCodeBindingSource" ], "Principal": { "AWS": [ "109876543210" ] }, "Resource": [ "arn:aws:schemas:us-east-1:012345678901:registry/default", "arn:aws:schemas:us-east-1:012345678901:schema/default*" ] } ] }

Example Policy Granting All Actions to an Organization

You can also use resource-based policies with the EventBridge Schema Registry to grant access to an organization ID. For more information, see the AWS Organizations User Guide.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Test", "Effect": "Allow", "Action": [ "schemas:*" ], "Principal": "*", "Resource": [ "arn:aws:schemas:us-east-1:012345678901:registry/default", "arn:aws:schemas:us-east-1:012345678901:schema/default*" ], "Condition": { "StringEquals": { "aws:PrincipalOrgID": [ "o-a1b2c3d4e5" ] } } } ] }